Bun bun bun!!

[hiteshjoshi]

What happened?

Duuddee! Why import bun as a browser module? https://github.com/panva/jose/blob/22c05ceeaecb850c6933d4ef5bc0935a8acf6854/package.json#L80

I am using bun on the server because it's so sexy with typescript.

I wasted 2 hours thinking something was wrong with jwks-rsa https://github.com/auth0/node-jwks-rsa/issues/373

Version

doesnt matter!

Runtime

Other (I will specify below)

Runtime Details

bun bun bun

Code to reproduce

https://github.com/panva/jose/blob/22c05ceeaecb850c6933d4ef5bc0935a8acf6854/package.json#L80

Required

• [X] I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
• [X] I agree to follow this project's Code of Conduct

[panva]

Why import bun as a browser module?

Because bun is Web Platform API first and node's crypto module compatibility is not guaranteed and will never be a 100%.

[panva]

I wasted 2 hours thinking something was wrong with jwks-rsa auth0/node-jwks-rsa/issues/373

There isn't anything wrong with jwks-rsa, but it's a node module, not one made for other runtimes.

[hiteshjoshi]

Mention it on docs. Please?

[panva]

jwks-rsa has a package.json engines entry marking it node-only.

[hiteshjoshi]

BTW, the crypto works fine if I point bun to the node package of jose.

[panva]

BTW, the crypto works fine if I point bun to the node package of jose.

It might for you, it might not for others. Open an issue with bun on how they resolve node-first module dependencies. Yours is not an isolated issue, i've seen them popping up and it's a runtime issue.

[panva]

FYI https://github.com/auth0/node-jwks-rsa/pull/374 give this branch a shot and let me know if there's anything else.

[BRAVO68WEB]

Hey @panva its me again.

Here is my code.

import JwksClient from "jwks-rsa";
import JsonWebToken, { JwtHeader } from "jsonwebtoken";

const client = JwksClient({
    jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
})

const keySets: any = await client.getKeys();

export const certToPEM = (cert: string) => {
    cert = cert.match(/.{1,64}/g)!.join('\n')
    cert = `-----BEGIN CERTIFICATE-----\n${cert}\n-----END CERTIFICATE-----\n`;
    return cert;
}

export const verifySession = (token: string) => {
    const decoded = JsonWebToken.decode(token, { complete: true }) as { header: JwtHeader, payload: any };
    const kid = decoded.header.kid;

    const keySet = keySets.find((key: { kid: string; }) => key.kid === kid);

    if (!keySet) {
        throw new Error("No key set");
    }

    const signingKey = certToPEM(keySet.x5c[0]);
    return JsonWebToken.verify(token, signingKey);
}

Here is my error

115 | 
116 |     if (!hasSignature && !options.algorithms) {
117 |       return done(new JsonWebTokenError('please specify "none" in "algorithms" to verify unsigned tokens'));
118 |     }
119 | 
120 |     if (secretOrPublicKey != null && !(secretOrPublicKey instanceof KeyObject)) {
                                          ^
TypeError: Right hand side of instanceof is not an object
      at /home/xxxxxxxxxx/hono-bun/node_modules/jsonwebtoken/verify.js:120:39

[panva]

https://bun.sh/docs/runtime/nodejs-apis#node-crypto Bun does not implement those APIs. Use jose, not jsonwebtoken.

You can replace both jwks-rsa and jsonwebtoken with jose.

const JWKS = jose.createRemoteJWKSet(new URL('https://www.googleapis.com/oauth2/v3/certs'))

const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
  issuer: 'urn:example:issuer',
  audience: 'urn:example:audience',
})
console.log(protectedHeader)
console.log(payload)

[BRAVO68WEB]

This was the code that got me segmentation fault

[panva]

Then create a reproduction sample and open a Bun issue please, there's nothing I can do about those.

[BRAVO68WEB]

Sure man, thx you for helping me out.

[panva]

To explain, it is far more likely the segmentation fault is related to some other code and just presents itself when the jose code yields control. So it seems like jose is triggering it but it's not. The whole jose test suite gets executed using Bun without segmentation faults.

[BRAVO68WEB]

Hmm One question!

I am using Auth0 to do openid stuff. My JWKS does not contain publicKey directly. I use x5c to create it. Can this be the reason?

PS: Also the jwks-rsa is your custom branch from github not from npm

[BRAVO68WEB]

The OP is correct. Every thing is fine in node

[panva]

My JWKS does not contain publicKey directly

JWKs are the public keys, just in a JWK format

[BRAVO68WEB]

Ohhh got